My Favorites

Force Password Sync option for NDS for NT.

This document (10016390) is provided subject to the disclaimer at the end of this document.

goal

Force Password Sync option (FPS) for NDS for NT.

fact

Formerly TID 2949197

fix

NDS for NT 2.0 introduced a new feature called "Force Password Sync" (FPS). See TID 2949095 for additional information about where this option can be set and how it affects the NDS and NT passwords.

When set during Domain migration (during the installation of NDS for NT), it will affect the migrated users differently depending on the migration type. If the migrated user was set to "Create As" then FPS will be set to ON for the NDS/NT user. If the migrated user was set to "Associate With" then FPS will be set to OFF for the NDS/NT user (unless it was set to ON prior to migration - the migration will not set it ON)

The NDS for NT migration will successfully migrate the NT MD40 encrypted password so that the user will log in to the NT Domain with the same password as previous to the migration. Once the migration has completed, the administrator must manually set FPS to ON for all users that were migrated with the "Associate With" setting. If there are a large number of users, it is recommended that the administrator use the "Details on Multiple Users" to set FPS to ON for all users in a container.

A potential problem is that any user that was migrated with the "Create As" setting will only be valid for NT login. An attempt to login to NDS with this user will generate an error. See TID 2934587 for details on this issue. Administrators must reset the NDS password or otherwise "touch" the password to create the necessary attribute links that will allow the user to log in.

At this point, when the user logs in to NDS/NT one of the following will happen:

1. If NDS and NT passwords were the same before migration and FPS is set to ON, the password is still expired. The user will successfully be logged in to both NDS and NT with the single password, but will need to change the password.

2. If the passwords were different before migration, then the user will have to enter both passwords (the MS logon GUI will popup after Novell's NWGINA) and should mark the option for "Change your Windows NT password to match your NetWare password after a successful login" to change NT to match NDS. At this point if FPS is set to ON, the passwords will stay matched.

Once password are synced they will remain synced when using any of the following methods to change the password;1. User Manager for Domains2. Ctrl-Alt-Del and clicking on "Change Password"3. Using the "Change Password" button in NWADMN32 for the user object's details4. Changing password during login when the previous passwords have expired

A good method for future users is to create a User Template that has the appropriate Domain memberships with FPS set to ON. As mentioned in TID 2949095 this will expire the NDS password and set the NT and NDS password to "No Password"/blank. After the first login, the user will prompted to change their password, which will change both the NDS and NT passwords.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.